Forum Discussion

bdavis's avatar
Icon for Nimbostratus rankNimbostratus
Jan 25, 2019

SSLi/SWG Transparent Proxy w/ Kerberos Auth

We have been testing out SSLi w/SWG Transparent deployment to replace our existing proxy technology. The issue we have ran into is that the SSL bypass feature that is built into the SWG per-request-policy, as well as the bypass feature in the Client SSL Profile, does not truly bypass SSL. What I mean by that is the F5 still makes the initial connection to the server-side to obtain the SNI value. I'm not sure why, when the SNI value can be obtained with a binary scan without breaking SSL. However that is how it is behaving. So in order to bypass any sites or destinations that fail termination on the F5, has to be bypassed within an irule by doing a binary scan for the SNI value and disabling the client and server-side profile, and/or by destination network range in some cases. What I have found is there is a LOT of sites that require this bypass method. To complicate it further, we use Kerosene with captive portal and if I do a ACCESS::session create for this bypass it creates a session without authenticating the user and breaks all there future traffic in that session that requires ldap groups and such to make it through the per-request-policy.


What this causes is a large amount of domains, subdomains, and destination ranges that when bypassed also bypass the SWG completely and are not filtered through categories, and are excluded from reporting. This is far from ideal, now I get that there is a lot of sites that have to be SSL bypassed. But there should be a way to still allow this traffic to be sent through categorization by SNI data without trying to make a connection from the f5 to do it. It's really making me reconsider utilizing the F5 for Proxy services and only have it handle the SSLi portion of the service. Which I really do not want to do.


I also plan to test out SSLo however I'm assuming under the covers it behaves the same way. It also does not support transparent proxy and will not support VIPRION w/vcmp at the moment, so I haven't spent much time on exploring this option.


My intent in posting this is, I'm curious if anyone else has deployed a similar setup and have they ran into these issues and was there any way to resolve these issues? I appreciate any help..


1 Reply

  • Hi Brett,


    I have done a good deal of work on SSLi on a Viprion (transparent proxy, NTLM and Kerberos auth via HTTP 401, etc.). Are you performing bypass to support mutual SSL authentication (e.g. client SSL certs) or for category (financials, government, healthcare) based bypass? SWG should handle the latter (categorization) but I believe you have to have the proper licensing for this functionality.


    I had some challenges getting domain based bypass to work. IP address (source and destination) worked fine. The F5 should not be establishing communications with the destination server if bypass is enabled. Where are you seeing this behavior?